The mof_ps_persist.rb module will attempt to use a crafted Managed Object File (MOF) to execute Windows Management Instrumentation (WMI) calls on the local host. The WMI queries leverage powershell.exe for command execution and spawn outbound connections to the listening Metasploit server. Local administrative rights, along with an existing Meterpreter session, are required for successful persistence.
- The attacker runs the mof_ps_persist.rb module via existing Meterpreter session, crafting an MOF file used to execute PowerShell commands when an event subscription fires.
- The server runs the crafted MOF file, monitors for local events, and when the local events fire, it executes a PowerShell command for command execution.
The attacker must have exploited some other entry vector to allow the malicious files to become resident on the victim machine. Local administrative rights, along with an existing Meterpreter session, are required for successful persistence.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
Ensure that all public internet-facing hosts have the most up-to-date patches applied.